ClawKit Logo
ClawKitReliability Toolkit
Back to Registry
Official Verified

skill-vetter

Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.

skill-install โ€” Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/a-din/xiaopi-skill-vetter
Or

Skill Vetter ๐Ÿ”’

Security-first vetting protocol for AI agent skills. Never install a skill without vetting it first.

When to Use

  • Before installing any skill from ClawdHub
  • Before running skills from GitHub repos
  • When evaluating skills shared by other agents
  • Anytime you're asked to install unknown code

Vetting Protocol

Step 1: Source Check

Questions to answer:
- [ ] Where did this skill come from?
- [ ] Is the author known/reputable?
- [ ] How many downloads/stars does it have?
- [ ] When was it last updated?
- [ ] Are there reviews from other agents?

Step 2: Code Review (MANDATORY)

Read ALL files in the skill. Check for these RED FLAGS:

๐Ÿšจ REJECT IMMEDIATELY IF YOU SEE:
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
โ€ข curl/wget to unknown URLs
โ€ข Sends data to external servers
โ€ข Requests credentials/tokens/API keys
โ€ข Reads ~/.ssh, ~/.aws, ~/.config without clear reason
โ€ข Accesses MEMORY.md, USER.md, SOUL.md, IDENTITY.md
โ€ข Uses base64 decode on anything
โ€ข Uses eval() or exec() with external input
โ€ข Modifies system files outside workspace
โ€ข Installs packages without listing them
โ€ข Network calls to IPs instead of domains
โ€ข Obfuscated code (compressed, encoded, minified)
โ€ข Requests elevated/sudo permissions
โ€ข Accesses browser cookies/sessions
โ€ข Touches credential files
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

Step 3: Permission Scope

Evaluate:
- [ ] What files does it need to read?
- [ ] What files does it need to write?
- [ ] What commands does it run?
- [ ] Does it need network access? To where?
- [ ] Is the scope minimal for its stated purpose?

Step 4: Risk Classification

Risk LevelExamplesAction
๐ŸŸข LOWNotes, weather, formattingBasic review, install OK
๐ŸŸก MEDIUMFile ops, browser, APIsFull code review required
๐Ÿ”ด HIGHCredentials, trading, systemHuman approval required
โ›” EXTREMESecurity configs, root accessDo NOT install

Output Format

After vetting, produce this report:

SKILL VETTING REPORT
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
Skill: [name]
Source: [ClawdHub / GitHub / other]
Author: [username]
Version: [version]
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
METRICS:
โ€ข Downloads/Stars: [count]
โ€ข Last Updated: [date]
โ€ข Files Reviewed: [count]
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
RED FLAGS: [None / List them]

PERMISSIONS NEEDED:
โ€ข Files: [list or "None"]
โ€ข Network: [list or "None"]  
โ€ข Commands: [list or "None"]
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
RISK LEVEL: [๐ŸŸข LOW / ๐ŸŸก MEDIUM / ๐Ÿ”ด HIGH / โ›” EXTREME]

VERDICT: [โœ… SAFE TO INSTALL / โš ๏ธ INSTALL WITH CAUTION / โŒ DO NOT INSTALL]

NOTES: [Any observations]
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

Quick Vet Commands

For GitHub-hosted skills:

# Check repo stats
curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars: .stargazers_count, forks: .forks_count, updated: .updated_at}'
Read Full Documentation on GitHub

Metadata

Author@a-din
Stars4473
Views1
Updated2026-05-01
View Author Profile
AI Skill Finder

Not sure this is the right skill?

Describe what you want to build โ€” we'll match you to the best skill from 16,000+ options.

Find the right skill
Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-a-din-xiaopi-skill-vetter": {
      "enabled": true,
      "auto_update": true
    }
  }
}
Safety NoteClawKit audits metadata but not runtime behavior. Use with caution.

Related Skills

auto-updater

Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of what changed.

a-din 4473

self-improving-agent

AI่‡ชๆˆ‘ๆ”น่ฟ›ไธŽ่ฎฐๅฟ†็ณป็ปŸ - ่งฃๅ†ณ'ๅŒ็ฑป้”™่ฏฏๅๅค็Šฏใ€็”จๆˆท็บ ๆญฃไธ้•ฟ่ฎฐๆ€ง'็š„็—›็‚นใ€‚่‡ชๅŠจๆ•่Žท้”™่ฏฏใ€็”จๆˆท็บ ๆญฃใ€ๆœ€ไฝณๅฎž่ทต๏ผŒๅนถ่ฝฌๅŒ–ไธบ้•ฟๆœŸ่ฎฐๅฟ†ใ€‚

a-din 4473

Agent Browser

A fast Rust-based headless browser automation CLI with Node.js fallback that enables AI agents to navigate, click, type, and snapshot pages via structured commands.

a-din 4473

mockplus-reader

่ฏปๅ–ๅ’Œๅˆ†ๆž MockPlus ๅœจ็บฟ่ฎพ่ฎก้กต้ขใ€‚็”จไบŽ๏ผš๏ผˆ1๏ผ‰ๆ‰“ๅผ€ๅนถ่งฃๆž MockPlus ็ฝ‘้กต้“พๆŽฅ๏ผŒ๏ผˆ2๏ผ‰ๆๅ–้กต้ขไธญ็š„่ฎพ่ฎกไฟกๆฏใ€็ป“ๆž„ใ€็ป„ไปถ๏ผŒ๏ผˆ3๏ผ‰ๅˆ†ๆžๅŽŸๅž‹็จฟๅ†…ๅฎนๅ’Œไบคไบ’่ฏดๆ˜Žใ€‚ๅฝ“็”จๆˆทๅ‘้€ MockPlus ้“พๆŽฅๆˆ–่ฆๆฑ‚ๅˆ†ๆžๅŽŸๅž‹็จฟๆ—ถไฝฟ็”จๆญคๆŠ€่ƒฝใ€‚

a-din 4473

chrome-devtools

Uses Chrome DevTools via MCP for efficient debugging, troubleshooting and browser automation. Use when debugging web pages, automating browser interactions, analyzing performance, or inspecting network requests.

a-din 4473